Filter
Top Products
28-24
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 28 Group Encrypted Transport (GET) VPNs
Using Passive Mode to Migrate to GET VPN
Step 1 Create the new GET VPN topology in Security Manager using the Create VPN wizard. When you are in
the wizard, ensure that you make these selections:
• When selecting devices, choose the key servers for the topology, but for group members, select the
first set of group members that will be migrated. For more information, see Selecting Devices for
Your VPN Topology, page 24-32.
• When configuring the group encryption settings, select Receive Only. This enables the SA
receive-only feature for the entire topology. For more information, see Defining GET VPN Group
Encryption, page 24-51.
For information about creating VPNs, see Creating or Editing VPN Topologies, page 24-28.
Step 2 Deploy the configurations to all devices in the VPN. The group members should now be able to receive
encrypted traffic but not send it. For information on the deployment process, see the following topics
based on the Workflow mode you are using:
• Deploying Configurations in Non-Workflow Mode, page 8-29
• Deploying Configurations in Workflow Mode, page 8-35
Step 3 Outside of Security Manager, verify that all of the group members are functioning properly.
For example, you can test whether the group members are able to send and receive encrypted packets
using some CLI commands on the group member devices:
• On group member 1, configure the following command, where “groupexample” is the name of the
GDOI group for the VPN. This command sets the device to accept encrypted or clear text, but to
send only clear text.
crypto gdoi gm group groupexample ipsec direction inbound only
• On group member 2, configure the following command. This command sets the device to accept
encrypted or clear text, but to send encrypted text.
crypto gdoi gm group groupexample ipsec direction inbound optional
• Ping group member 1 from group member 2. Group member 2 should encrypt the packet before
sending it, and group member 1 should accept it and decrypt it. If you ping member 2 from member
1, the ping should be sent in clear text and accepted by member 2. Ensure that your ACLs allow
pings.
Step 4 In Security Manager, select Manage > Site-to-Site VPNs (see Site-to-Site VPN Manager Window,
page 24-18).
Select the GET VPN topology, then select Group Members.
Add the remaining group members that you want to add to the topology (click the Add Group Member
(+) button, select the devices, and click OK).
If you want to use passive mode to test the new group members before enabling full encryption, ensure
that you select Enable Passive SA Mode when configuring the group members:
• To configure an individual group member, select it and click the Edit Group Member (pencil)
button.
• To enable passive mode on more than one device at a time, use Shift+click or Ctrl+click to select
multiple devices, then right-click and select Edit Passive SA Mode. You can then select the option
and click OK.
For more information on configuring group members, see Configuring GET VPN Group Members,
page 28-20.
Step 5 Deploy the configuration changes to all devices in the VPN. All devices should be operating in passive
mode at this point.